Highlights
- Researchers exploited WhatsApp’s contact-discovery feature to collect 3.5 billion phone numbers, profile photos, and status texts.
- The flaw dates back years and was reportedly known to Meta, raising concerns over delayed action.
- Meta acknowledged the issue as a design oversight and not a bug..
Caption – (Photo by Dima Solomin on Unsplash)
WhatsApp recently faced a major privacy concern after security researchers uncovered a flaw. It seems that an internal flaw in the Meta-owned app allowed the extraction of phone numbers and profile information of billions of users. Here’s more on that.
WhatsApp Flaw Exposed User Phone Numbers
A research team from the University of Vienna disclosed that they successfully collected 3.5 billion phone numbers using what they termed a “simple” method that exploited WhatsApp’s contact-discovery feature. This mechanism is intended to check if a phone number is registered on the platform, but because WhatsApp had no effective rate limits, the system allowed millions of automated queries per hour.
By sending these automated checks, the researchers not only identified active WhatsApp accounts but also retrieved profile photos and status texts associated with many of them. They warned that if this flaw had been exploited by malicious entities, it could have resulted in the “largest data leak in history.”
According to the researchers, this vulnerability dates back to at least 2017. The timeline is also concerning since Meta had received warnings about similar privacy risks previously. WhatsApp’s contact-discovery tool, designed for convenience by syncing a user’s address book, inadvertently enabled large-scale data harvesting.
Meta’s Response
Meta acknowledged the flaw but suggested it stemmed more from an overlooked design choice than a technical bug. In a statement to Wired, WhatsApp’s vice president of engineering Nitin Gupta said, “This study was instrumental in stress-testing and confirming the immediate efficacy of (anti-scrapping) new defences We have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”
Meta has since added rate limits to prevent excessive querying of WhatsApp numbers. The company also stated that only publicly accessible information was exposed due to the flaw. Public information on WhatsApp includes phone numbers, name and profile photos.
The researchers further revealed that they used WhatsApp Web to submit high-volume contact-discovery requests, managing to scrape millions of entries every hour. They found that profile photos were visible for about 57% of the identified accounts, while profile text was accessible for 29%.
The method reportedly worked even in countries where WhatsApp is banned such as China, Iran, Myanmar, and North Korea.
Once the scale of the issue became clear, the researchers reported the flaw to Meta and deleted the scraped database after concluding their study. According to the report, Meta took roughly six months to implement a fix and introduce proper rate limits.
FAQs
Q1. What flaw did researchers discover in WhatsApp’s system?
Answer. Researchers found that WhatsApp’s contact-discovery feature lacked rate limits, allowing automated queries to extract 3.5 billion phone numbers, profile photos, and status texts.
Q2. Was any private or encrypted data compromised in the breach?
Answer. No. According to Meta, only publicly accessible information like phone numbers and profile photos was exposed. Messages remained secure due to end-to-end encryption.
Q3. How has Meta responded to the recent Phone number vulnerability?
Answer. Meta acknowledged the issue as a design oversight, not a bug, and has since implemented rate limits to prevent mass data scraping. The flaw reportedly existed since 2017.